Windows XP Malware: 6X As Bad As Windows 8

WinXP is already an easy target for hackers, and it will get even simpler once Microsoft ends support for the 12-year-old OS in April.

Need another reason to quit Windows XP before Microsoft ends support for the operating system in six months? Then consider that real-world Windows XP systems already sport a much higher rate of malware infections than Microsoft's more recent operating systems.

"Windows XP is six times more likely to be infected than Windows 8, even though it has the same malware encounter rate," Mike Reavey, Microsoft's Trustworthy Computing general manager, said in a keynote presentation at this week's RSA Conference in Amsterdam. Those statistics were gathered from real-world systems. "There are over one billion Windows machines online and we can use them to track malware," he said.

Overall, Windows XP and Vista systems each encounter about 16% of all malware that's in the wild, which puts them slightly behind Windows 7 (19%) but ahead of Windows 8 (12%), according to Microsoft. Yet for every 1,000 computers scanned, an average of 9.1 Windows XP SP3 machines were malware-infected, which is nearly double the infection rate for Vista SP2 (5.5 infected machines per 1,000) and Windows 7 SP1 (4.9 machines), and almost six times the infection rate of Windows 8 RTM (1.6 machines).

Note that the Windows XP machine count refers to Service Pack 3 installations. For its predecessor, SP2, the malware infection rates were 66% higher than for SP3.

The marked decrease in infection rates for later-generation versions of Windows is a sign that Microsoft's 2004 about-face on software security and focus on bringing Secure Development Lifecycle (SDL) practices to bear on its software development has been working. "The downward rate is a sign of secure development practices," Reavey said. "In pretty much every service in Microsoft we have people devoted purely on security, focused on what's going on in the marketplace and what's needed to secure it."

But as Microsoft counts down to April 2014, when it plans to end Windows XP support, the company is highlighting the information security shortcomings of aging versions of Windows as one more reason for customers to upgrade. "Microsoft Windows XP was released almost 12 years ago, which is an eternity in technology terms," Tim Rains, the company's director of Trustworthy Computing, said in a related blog postTuesday. "While we are proud of Windows XP's success in serving the needs of so many people for more than a decade, inevitably there is a tipping point where dated software and hardware can no longer defend against modern day threats and increasingly sophisticated cybercriminals."

Once Windows XP stops receiving security updates, Microsoft expects the security situation to degenerate further. "On April 8, 2014, support will end for Windows XP," Rains said. "This means Windows XP users will no longer receive security updates, non-security hotfixes or free/paid assisted support options and online technical content updates. After end of support, attackers will have an advantage over defenders who continue to run Windows XP."

To date, however, despite the additional security protections afforded by later-generation versions of Windows, many businesses and consumers are sticking with the 12-year-old operating system. Indeed, as of September 2013, Windows XP remained installed on 21% of PCs worldwide, and 15% of PCs in North America, according to Web analytics company StatCounter.

Currently, zero-day vulnerabilities that affect Windows XP are fetching a relatively low price -- $50,000 to $150,000 -- compared to more recent-generation Windows operating systems, because Microsoft has been patching those vulnerabilities in a relatively short timeframe, according to security expert Jason Fossen, who works at the SANS Institute.

But expect the weaponized exploit economy to change come April, when Microsoft ceases patching XP. That's because Microsoft's continued patching of its newer operating systems will give would-be XP attackers the equivalent of CliffsNotes for targeting the older OS. "After April next year, when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP," said Microsoft's Rains. "If they succeed, attackers will have the capability to develop exploit code to take advantage of them."

And how many years did users ignore that self-serving advice and stuck with XP? XP might not be the most secure OS, but it is secure enough and does the trick using hardware that works well. Throughout the years additional measures added the security that XP lacks. Moving to Win7 and especially Win8 is for many only an expense with zero benefit because they will only accomplish exactly as much as with XP and potentially even less. Also, Microsoft was incredibly successful in breeding the IE6-only web app ecosystem. That is the core reason why people stick with XP. Maybe Microsoft needs to build an ++berquirks mode that makes IE11 misbehave like IE6. And even then, upgrading Windows just costs too much.

Locking down systems e.g. softeware install policies, no user admin login, no local admin, change flash, browser, et al login to least privileged (not system), and other good security policy goes a long way but you will get push back from "power lusers" (c.f. Vista). Users get ticked off when autorun or upnp is turned off, have to wait for their USB key is scanned.

We've setup XP embedded systems using "Syslogon" (basically user logs on as system early in the boot process)(does.not load winlogon baggage) and as configured withstood attacks that hacked Win7.

We are an SMB solution provider with occasional Enterprise branch office projects. Windows XP (including Server 2003) is used on ~50% of all our customers' machines. A generous 2% for Windows 8 and 2012. Half of the dozen Win8 machines have had one or more malware incidents. We have had most of our malware tickets on the ~25% Windows 7 machines. Of malware on XP much of it was Java exploits, Office macros, Flash, etc that SMBs require for their business software.

Perhaps Microsoft is is pointing out XP because "leaks like a sieve" Windows Defender is not default on XP. Note that this statistic about how bad XP is comes from a time when XP is actively being patched by Microsoft. Hint: if you look at your Windows Update, see the gigabyte of Security Updates for previous Microsoft Updates. Currently have about 30 customers' computers on Windows 2000 and have not had a malware incident for the last 10 years (when Microsoft stopped supporting it; no updates.) MS, et al, assume 3 year upgrade cycle whereas actual is 5-7 years (more due to current economic depression) and many upgraded to XP ~2005. The cost of upgrading is doubled by newer OS hardware requirements (these people aren't gamers, they run point-of-sales and accounting software). This extra cost is further increased by inability of NT 6 codebase OS (and newer IE) to run customers' applications.

Windows XP (and Windows 2000) can continue functioning reliably if good anti-malware software and a satisfactory firewall are included. User training and Email anti-malware is a MUST.

Precompiled Ubuntu is a memory pig, not a great idea, probably why you think it is slow. Virtual Box will run on (older) systems without VT extensions (or "make" your own distro with QEMU). Other Virtualization solutions. BSD and WinPE have a smaller footprint than Linux kernel. KVM virtualization support is like HyperV quite a bit faster. I've setup Unix/VMware Player Virtualization on customer machines (Hardware) that XP doesn't support when they wish to downgrade their licenses. XP VHDs are readily available; also note VPC and Virtual Server can run on WinPE.

Win8 apparently has HyperV for 32-bit, but HyperV (on purpose?) does not work well with XP.

I was wondering how this is done and was not impressed in the end. This is basically a Linux distro made to look like Apple's OS X and the "runs Windows" claim comes courtesy of Oracle's VirtualBox which has a host of issues, most notably it is dreadfully slow. Also, if you have any peripherals that do not have a Linux driver or that cannot be accessed from within VirtualBox you are out of luck. Ah yes, and you need of course a Windows DVD (or CD for XP) and a valid license. So if you have one of these off the shelf systems that did not come with Windows DVDs then forget about this.Also, you might as well install Ubuntu and download VirtualBox and get probably a much better Linux distro to begin with. RoboLinux is really nothing special except for the preconfigured VM.